Firefox 3.06 Fixes 6 vulnerabilities

Only 1 of the 6 is very serious, but it's time to update your browser nevertheless.

Mozilla.org released new versions yesterday of Firefox, SeaMonkey and Thunderbird, addressing a total of 6 vulnerabilities. All 6 affect Firefox; two affect SeaMonkey and one affects Thunderbird.

You can get the new Firefox 3.06 through the usual updating mechanisms, including a direct download from here. Thunderbird 2.0.0.21 and SeaMonkey 1.1.15, announced in these advisories, are not yet available for download as of the morning of 2/4/2009.

The details of the vulnerabilities include:

2009-01: Crashes with evidence of memory corruption (Critical)This is the only one rated Critical by Mozilla and the only one that affects all 3 programs. Stability errors caused through JavaScript cause crashes which the team presumes could be exploitable. Note that this is the only vulnerability in this group to affect Thunderbird, and JavaScript is not turned on by default in that product. Were the advisory written only for Thunderbird it likely would have been rated much less than Critical, and this makes the whole update a less pressing matter for Thunderbird users.

2009-06: Directives to not cache pages ignored (Low)Firefox ignores some HTTP controls for not caching web pages, with the result that, on a multi-user system, private data could be exposed to a different user. This seems more than a "Low" bug to me, but perhaps it's more difficult to exploit than the advisory implies.